Five Practices for Secure Mobile Apps

By now, just about any IT pro or CIO has read dozens of stories on the Heartbleed bug, which exposed a flaw in the open-source OpenSSL cryptography library, which hundreds of thousands of websites and mobile apps use to secure data in transit. Heartbleed is a big deal, but for most IT pros and CIO’s, it only illuminated what they already knew – that mobile security is one of the most pressing issues for them in 2014.

Specifically, mobile app security is paramount for any enterprise today. As is true in traditional application (desktop and web) development, security cannot be an afterthought for mobile app development. It needs to be a consideration throughout the entire lifecycle, from planning, development and testing to release and analysis.

That’s why, at Appcelerator, we’ve baked numerous security capabilities into our Platform to enable your development process at every turn.

See, the way mobile apps are developed and the speed with which they’re delivered means a set of challenges quite different from traditional apps. A crucial focus for mobile app security must be on the client side – at the device or app level – and at Appcelerator, we’ve enabled five key security capabilities:

1. Source Code Encryption

Mobile app security works differently than it does for a traditional application. If you’re a developer building a web application, for example, your code and business logic resides on a secure backend web or application server in the data center, or in the cloud. The client side of a website, for example, is really just a user interface, accessing functionality and data from these backend servers via the Internet.

But with native mobile apps, much of this code resides on the client providing both the UI components as well as any local business logic.

With the app code on the device, it’s potentially vulnerable to anyone that’s downloaded your app. A malicious user that has downloaded your app can potentially view your code, and:

Access your IP,

Reverse engineer the app, inject malicious code, then re-publish back to the app store (in the case of Google Play) or

You need to keep your code secret. That’s why we support encryption for the code in your apps. JavaScript, for example, is fairly easy to read and understand. Obfuscation and minification can help make it more difficult to interpret, and is certainly better than nothing, but encryption provides the highest, most reliable security rendering it completely unreadable.

2. Database Encryption, and 3. File-level Encryption

The varying bandwidth and connection quality on mobile devices doesn’t just mean that more client-side code is required, it also means more data is stored on the device. Again, the Web enables desktop applications which assume an ever-present and reliable connection – but for mobile, it often needs to reside on the device itself, whether temporarily or permanently.

The nature of this difference has a major impact on security, introducing concerns that traditional applications simply don’t have to contend with. Many developers use the mobile database SQLite Database, or store the data on the local file system. These don’t encrypt data by default, which is why we built the Appcelerator SQLite Encryption Module and offer file-level encryption across all supported OSs. These options allow enterprises to preserve the user experience by storing data on the device, all without sacrificing security.

Employees today demand the ability to access their apps and data on the devices they use outside work. To make this happen while mitigating associated security concerns, MDM and mobile app management (MAM) solutions have risen to the occasion, offering features that help CIOs rest easy when it comes to the security of sensitive data.

MDM/MAM products solve for the vulnerabilities that come along with allowing employees to access company data on personal devices. Organizations can:

Create enterprise app stores for distribution

“Wrap” employee-facing apps with security layers to protect and manage its data

Set up controls that allow specific individuals to access as much or as little data as necessary

Remotely wipe data from devices of employees who no longer need access

The features these companies offer are crucial to enterprises, which is why the Appcelerator Platform integrates with MDM/MAM vendors like Airwatch, MobileIron and Apperian, to name a few. This way enterprises can ensure that apps built using the Appcelerator Platform can also deploy apps to the enterprise app stores and guarantee security at all times.

5. Protection of Data In Transit

Time to market is key in the new mobile world, and developers building mobile apps often work in a fraction of the time they would to build a web application. In the rush to put out mobile offerings, unfortunately, a lot of apps that are already out there don’t have the appropriate levels of security.

For example, sensitive information being sent from the client to backend servers needs to be protected to avoid privacy leaks. While this seems like a no brainer for those familiar with web security, the immaturity of mobile development means many mobile apps out there today aren’t providing this level of security.

To ensure that data being sent from the client is secure, we support the use of either SSL or a VPN tunnel, which protects data in transit from eavesdropping, intentional or otherwise.

Honorable Mention: Extensibility

It’s worth noting: Because we have an open and extensible platform, there are other security tools and modules you can find in our marketplace. For instance, mSignia can validate app cloning as well as provide a unique secure solution for user authentication.

For readers interested in learning more about how the Appcelerator Platform can help support your enterprise mobility initiatives, you can register for our monthly seminar, here.

No matter what type of security needs your organization has, we are here to help you build world-class mobile experiences while keeping your apps and data secure.

13 COMMENTS

Was disappointed to not see Ben Bahrenburg’s Securely module (https://github.com/benbahrenburg/Securely) given an honorable mention. It patches a serious security hole with regards to info.plist entries, data stored in files, etc.

Owing to the high maintenance cost of this particular module, combined with the fact that most users were enterprise customers, we decided to make it a part of our enterprise Platform. For an open source alternative, SQLCipher can be wrapped in a module and used for SQLite encryption in Titanium.

Yes…as mentioned above, security should be implemented in a layered approach covering the many different types of vulnerabilities and weaknesses…I was really focusing on the solution pieces that we offer and facilitate. There are numerous other security tools out there that deal with other layers such as malware threats etc..

Absolutely! And this is applicable both ways – to the consumer of apps as well as the developer. Both need to use security tools in layers because a single tool will not provide the best solution from all aspects. Especially when it comes to security, it is better to use multiple tools in different layers to ensure maximum advantage.

It promises App Validation, Device Recognition, and a fraud score system. We are very interested by this module… Is this module approved by Appcelerator ? Can we trust it ? There is no review or question on the market place… Anybody already used this module ?

Very helpful article. Is source code encryption automatic when compiling apps in titanium or do you need to invoke it somehow? Can a tool like APKTool reverse engineer an app created with Titanium and see the app key?

Follow Us

What can we help you with today?

Let us know how we can help you today! We're ready to get down to business. To contact our sales click here or fill out the form below: Need support? Log in to our support portal for assistance.

Axway respects your privacy. Your personal data will not be shared with or sold to a third party (unless to Axway legal entities where you can find the list at "Contact us"). Please note that you can withdraw your consent at any time by clicking here.